Closed
|
Case #
|
10009
|
|
Affiliated Job:
|
New Trier Township District 2031
|
|
Opened:
|
Monday, February 1, 2010
|
|
Closed:
|
Thursday, February 11, 2010
|
Total Hit Count:
|
29856
|
|
Last Hit:
|
Sunday, December 22, 2024 6:00:21 AM
|
Unique Hit Count:
|
7560
|
|
Last Unique Hit:
|
Sunday, December 22, 2024 6:00:21 AM
|
Case Type(s):
|
Helpdesk, Development, Server
|
|
Case Notes(s):
|
All cases are posted for review purposes only. Any implementations should be performed at your own risk.
|
|
|
Problem:
|
Despite our Sophos Enterprise deployment, the Conficker virus penetrated and was introduced into our environment sometime around December or January. Helpdesk tried to battle this infestation; however, due to many systems not having Sophos installed or problems with the installation; the virus outbreak spread across the entire network. It appears the virus remains in the local subnet that it exists and therefore the servers remained unaffected.
On-Access scanning was enabled and Windows XP SP3 was installed across the network; therefore, the effects of the virus were disabled, but the spreading could occur for those machines without Sophos. The virus spreads by trying to place a file into the Windows directory via an infected machine to a remote machine on the same subnet across the network. It also attempts to create scheduled tasks forcing the new file to run at various time intervals. Having On-Access scanning enabled permits the clean machines to remain clean; but if the machine is already infected, a full scan is required.
|
|
Action(s) Performed:
|
Total Action(s): 1
|
Action #
|
Recorded Date
|
Type
|
Hit(s)
|
User
|
Expand Details
|
10038
|
2/11/2010 2:43:33 PM
|
Development
|
3973
|
contact@danieljchu.com
|
Our first step was to gather information about the machines without Sophos, Collapse ...
|
Last Hit: Sunday, December 22, 2024 6:00:12 AM
Our first step was to gather information about the machines without Sophos, I developed the script which was run at computer startup on each workstation through group policies to diagnosis and record the machines without Sophos installed. These log files allowed us to identify which machines needed direct attention. Also, in the Sophos Enterprise manager, we could review the systems requiring attention. Mostly these were machines with Sophos installed and were reporting that networked machines were attempted to write an infected file to the local hard disk. These machines remain unaffected because of the On-Access scanning protecting the machine from reading & writing of infected files. Also, all settings of Sophos Enterprise console were reviewed and among adjustments made, scanning of removable drives was enabled.
The next step was to deploy a new group policy, for workstations only, to disable access to Scheduled Tasks & disable auto play (KB962007)
Code to Check for Sophos [sophos.bat (1 or 2) (Text to Display)]: @ECHO OFF
SET vPassVar01=%1 SET vPassVar02=%2
FOR /F "TOKENS=1* DELIMS= " %%A IN ('DATE/T') DO SET CDATE=%%B FOR /F "TOKENS=1,2 eol=/ DELIMS=/ " %%A IN ('DATE/T') DO SET mm=%%B FOR /F "TOKENS=1,2 DELIMS=/ eol=/" %%A IN ('echo %CDATE%') DO SET dd=%%B FOR /F "TOKENS=2,3 DELIMS=/ " %%A IN ('echo %CDATE%') DO SET yyyy=%%B SET USEDATE=%mm%%dd%%yyyy%
IF %vPassVar01%==1 ECHO Logging Computer Logon to Workstation: %COMPUTERNAME% IF %vPassVar01%==2 ECHO Logging User Logon to Workstation: %COMPUTERNAME% ECHO On: %DATE% ECHO By User: %USERDOMAIN%/%USERNAME% ECHO Logon Server: %LOGONSERVER%
IF EXIST "C:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe" GOTO CONTINUE IF EXIST "C:\Program Files (x86)\Sophos\Sophos Anti-Virus\SavService.exe" GOTO CONTINUE
ECHO %DATE%,%TIME%,%vPassVar02%,%USERDOMAIN%,%LOGONSERVER%,%COMPUTERNAME%,%USERNAME% >> "\\[SERVERNAME]\MachinesWOSophos$\%COMPUTERNAME%.txt" GOTO END
:CONTINUE IF EXIST "\\[SERVERNAME]\MachinesWOSophos$\%COMPUTERNAME%.txt" del "\\[SERVERNAME]\MachinesWOSophos$\%COMPUTERNAME%.txt"
:END
|
|
|
|
Resolution:
|
Among the actions taken, the most useful action was to force run the "Microsoft Windows Malicious Software Removal Tool." We did this through the Logon Script which does the following:
- | Copies the mrt.exe locally | - | Runs the mrt.exe scan | - | Checks the final log create by the mrt scan for "Threat detected:" | | o | If found, the log is copied out to the server into a "01-VirusFound" folder - also, if the words "the system needs to be restarted." is found in the log, the user is prompted to reboot | o | Otherwise it is either placed into "02-NoVirusFound" or "03-CouldNotRun" dependent on the success of the scan |
|
This script runs in the background without the user ever knowing and these logs help to identify the machines requiring further attention. Using these reports we could determine the machines with or without Sophos and also identify the ones infected, possibly indicating the antivirus agent would need installed on that system.
Code to Run MRT Scan [RunMRT.cmd]: @ECHO OFF ECHO Processing Microsoft's Malicious Software Removal Tool...
C: CD\WINDOWS\DEBUG type mrt.log >> mrt.org del /F /Q mrt.log del /F /Q mrt.txt
C: CD %USERPROFILE%\Local Settings\TempMKDIR MRTSCAN CD MRTSCAN del /F /Q mrt*.* COPY /Y \\[DFS PATH]\SysVol\[DOMAIN]\Policies\{POLICY GUID}\Machine\Scripts\Startup\Microsoft\Sleep.exe COPY /Y \\[DFS PATH]\SysVol\[DOMAIN]\Policies\{POLICY GUID}\Machine\Scripts\Startup\Microsoft\logon-scan\mrt.exe mrtv34.exe
SET PATH=%PATH%;%USERPROFILE%\Local Settings\Temp\MRTSCAN;
IF EXIST "%USERPROFILE%\Local Settings\Temp\MRTSCAN\mrtv34.exe" ( GOTO CONTINUE01 ) ELSE ( GOTO CONTINUE02 )
:CONTINUE01 call Sleep.exe 5 Start /wait mrtv34.exe /q
:CONTINUE02 REM del /F /Q \\[SERVERNAME]\MS-MAL-RM-Tool$\01-VirusFound\%computername%.log del /F /Q \\[SERVERNAME]\MS-MAL-RM-Tool$\02-NoVirusFound\%computername%.log del /F /Q \\[SERVERNAME]\MS-MAL-RM-Tool$\03-CouldNotRun\%computername%.log
C: CD\WINDOWS\DEBUG ECHO ----* > mrt.txt ECHO Scan Run By: %USERNAME% completed at %DATE%, %TIME% >> mrt.txt ECHO ----* >> mrt.txt type mrt.log >> mrt.txt type mrt.txt >> mrt.org del /F /Q mrt.log
IF EXIST "C:\WINDOWS\DEBUG\mrt.txt" ( GOTO CONTINUE03 ) ELSE ( GOTO CONTINUE04 )
:CONTINUE03
findstr /n /c:"Threat detected:" "C:\WINDOWS\DEBUG\mrt.txt" IF %errorlevel%==0 ( copy %windir%\debug\mrt.txt \\[SERVERNAME]\MS-MAL-RM-Tool$\01-VirusFound\%computername%.log
findstr /n /c:".*the system needs to be restarted." "C:\WINDOWS\DEBUG\mrt.txt" IF %errorlevel%==0 ( > "%USERPROFILE%\Local Settings\Temp\MRTSCAN\usermessage.vbs" ECHO ON ERROR RESUME NEXT >> "%USERPROFILE%\Local Settings\Temp\MRTSCAN\usermessage.vbs" ECHO Dim Answer >> "%USERPROFILE%\Local Settings\Temp\MRTSCAN\usermessage.vbs" ECHO Set wshShell = CreateObject( "WScript.Shell" ^) >> "%USERPROFILE%\Local Settings\Temp\MRTSCAN\usermessage.vbs" ECHO Answer = MsgBox ( "A scan performed at logon has discovered & cleaned" ^& vbCrLf ^& _ >> "%USERPROFILE%\Local Settings\Temp\MRTSCAN\usermessage.vbs" ECHO "a virus found on this machine [%COMPUTERNAME%]." ^& vbCrLf ^& _ >> "%USERPROFILE%\Local Settings\Temp\MRTSCAN\usermessage.vbs" ECHO "Please reboot at your next opportunity, to reboot" ^& vbCrLf ^& _ >> "%USERPROFILE%\Local Settings\Temp\MRTSCAN\usermessage.vbs" ECHO "now click 'Yes.' Otherwise, to reboot later, simply click 'No.'" ^& vbCrLf ^& _ >> "%USERPROFILE%\Local Settings\Temp\MRTSCAN\usermessage.vbs" ECHO "Thank you for your assistance! - NTHS Help Desk.", 4, _ >> "%USERPROFILE%\Local Settings\Temp\MRTSCAN\usermessage.vbs" ECHO "New Trier: Help Desk" ^) >> "%USERPROFILE%\Local Settings\Temp\MRTSCAN\usermessage.vbs" ECHO If Answer = 6 Then wshShell.Run "shutdown -r -f -t 20", 0, false WSCRIPT.EXE "%USERPROFILE%\Local Settings\Temp\MRTSCAN\usermessage.vbs" DEL /F /Q "%USERPROFILE%\Local Settings\Temp\MRTSCAN\usermessage.vbs" )
) ELSE ( copy %windir%\debug\mrt.txt \\[SERVERNAME]\MS-MAL-RM-Tool$\02-NoVirusFound\%computername%.log )
del /F /Q mrt.txt
GOTO END
:CONTINUE04
IF EXIST "C:\WINDOWS\DEBUG\mrt.log" ( ECHO ----* > \\[SERVERNAME]\MS-MAL-RM-Tool$\03-CouldNotRun\%computername%.log ECHO Attempted By: %USERNAME% completed at %DATE%, %TIME% >> \\[SERVERNAME]\MS-MAL-RM-Tool$\03-CouldNotRun\%computername%.log ECHO ----* >> \\[SERVERNAME]\MS-MAL-RM-Tool$\03-CouldNotRun\%computername%.log type %windir%\debug\mrt.log >> \\[SERVERNAME]\MS-MAL-RM-Tool$\03-CouldNotRun\%computername%.log ) ELSE ( IF EXIST "C:\WINDOWS\DEBUG\mrt.org" ( ECHO ----* > \\[SERVERNAME]\MS-MAL-RM-Tool$\03-CouldNotRun\%computername%.log ECHO Attempted By: %USERNAME% completed at %DATE%, %TIME% >> \\[SERVERNAME]\MS-MAL-RM-Tool$\03-CouldNotRun\%computername%.log ECHO ----* >> \\[SERVERNAME]\MS-MAL-RM-Tool$\03-CouldNotRun\%computername%.log type %windir%\debug\mrt.org >> \\[SERVERNAME]\MS-MAL-RM-Tool$\03-CouldNotRun\%computername%.log ) ELSE ( ECHO ----* > \\[SERVERNAME]\MS-MAL-RM-Tool$\03-CouldNotRun\%computername%.log ECHO Attempted By: %USERNAME% completed at %DATE%, %TIME% >> \\[SERVERNAME]\MS-MAL-RM-Tool$\03-CouldNotRun\%computername%.log ECHO mrt.log, .txt or .org file does not exist >> \\[SERVERNAME]\MS-MAL-RM-Tool$\03-CouldNotRun\%computername%.log ECHO ----* >> \\[SERVERNAME]\MS-MAL-RM-Tool$\03-CouldNotRun\%computername%.log ) )
:END
|
|
|
|
|
|
|